Google Screenwise: An Unwise Trade of All Your Privacy for Cash

Google Screenwise: An Unwise Trade of All Your Privacy for Cash

Imagine this: an enormous tech company is tracking what you do on your phone, even when you’re not using any of its services, down to the specific images that you see. It’s also tracking all of your network traffic, because you’re installing one of its specially-designed routers. And even though some of that traffic is encrypted, it can still know what websites you visit, due to how DNS resolution works. Oh, it’s also recording audio from a custom-microphone that’s placed near your TV, and analyzing what it hears.

It’s an always-on panopticon. In exchange for your privacy (and the privacy of any guests who may be using your Internet connection, or talking near your television), you receive a gift card for a whopping $20.

No, we’re not talking about Facebook—we’ve already detailed the frightening consequences of Facebook’s sneaky, privacy-invading and security-breaking “user research” program. This is Google’s “ScreenWise Meter,” another “research program” that, much like Facebook’s, caused an upheaval this week when it was exposed.

In order to spy on iOS users, Facebook took advantage of Apple’s enterprise application program to get around Apple’s strict app distribution rules. When news of this Facebook program hit earlier this week, Google scrambled to pull the plug on its own “user research” application, which was taking advantage of the same Apple program. Apple quickly revoked bothorganizations’ Enterprise Certificates, shutting down all of Facebook’s and Google’s internal iOS applications and tooling, leaving the two giants in disarray.

We’re not a fan of Apple’s walled-garden approach to application distribution and its strict control over who gets to play on its platform and who doesn’t. However, this drama shined a valuable spotlight on deceptive messages to users and data harvesting practices surrounding two so-called “opt-in” “research” panopticons.

Although Google pulled its iOS application, all the other parts of its Screenwise Meter surveillance program are still in operation—and in some cases, they collect even more data about their “research users” than the Facebook counterpart did.

“Metering” is a funny word for surveillance

In some ways, Google’s “research” is not as bad as Facebook’s, and in other ways, it’s much worse. The “less worse” parts: it’s not directly targeting teens, it didn’t surreptitiously hide Google’s involvement, it didn’t ask users to install a custom root certificate, and its dystopian marketing makes it more clear what the company is up to.

The “more worse” part: it’s asking you to opt into a panopticon. Although Google is heavily involved in much of the general public’s online and offline lives, Screenwise takes it a big leap ahead.

The Screenwise Meter mobile app and web extension basically allow Google to see what you see on your phone screen and web browser window. The application could monitor all your app usage and network traffic via side-loading a “custom” app on your smartphone. Since Google doesn’t ask you to install a root certificate like Facebook did, they can’t decrypt HTTPS traffic, but the app can see anything on your screen, as detailed by the “Content on Screen” section of its privacy policy.

Let's say you open the Snapchat app. Google could see that. Let's say you need to type in your password. Google could see that, too. Let's say you send a Snapchat to a friend. Yes, Google could see that as well.

The web extension even goes beyond the level of tracking that Facebook was willing to do. Like Facebook, apparently being able to track 80% of all Internet traffic wasn’t enough: the web extension reports all of your web browsing back to Google, even if it’s over HTTPS. It can also collect every single action you make on any website (from composing private messages to browsing a shopping site), and any information stored or saved in your browser. Google even admits to collecting Social Security Numbers and credit card numbers through this program, though it claims that these are “not the focus” of the surveillance.

In addition, Screenwise invades your private living spaces through a custom router. It can’t intercept HTTPS traffic. But because DNS lookups are currently unencrypted, Google can record every single site that anyone visits while connected to your WiFi. And, of course, it can see any unencrypted app and web traffic on your home WiFi, too.

To top it all off, there’s the “TV Meter,” which is an always-on microphone in your house that collects and sends Google audio from your TV as well as any nearby chatter it picks up—a wiretap for your living room.

“But They Consented!”

Although Google’s explanation of its program is somewhat more clear than Facebook’s, it will not be obvious to many people how thoroughly Google is spying on them if they don’t read all of the lengthy privacy policy.

Google has even less consent from the family members of people who installed Google’s snooping tools. These devices aren’t just spying on a person—they’re spying on a household, which can involve guests, who aren’t likely to know about the surveillance at all, and children under 13. Yes, Google “prohibits” children under 13 from taking part in this invasive digital tracking, gives options for pausing the tracking when kids are involved or guests are over, and asks users to inform any house guests about the surveillance. In reality, this provides the company cover rather than protecting your children or guests. By offering temporary “opt-out” options to “protect your privacy,” Screenwise simply shifts the responsibility onto the surveilled user—exactly the sort of behavior that’s been allowed under lax privacy laws, and needs to change under new ones.

Finally, none of Google’s messaging is clear about who it’s sharing all this data with. At the end of its privacy policy, Google mentions it can share all of this collected information with “trusted businesses,” without giving a hint as to who those could be or what they might do with our data.

Screenwise is not the only problem. Just this morning, a new study detailed how Google tricks regular users into “opting in” to constant tracking with deceptive UX flows and default settings.

With each passing day, it’s increasingly clear that we can’t rely on the “ethics” and “value systems” of corporations to judge their own messaging around consent. Jargon-filled dialog boxes, pages of fine print, and hidden privacy policies aren’t enough. When profits are driven by collecting and selling our data, companies are incentivized to manipulate as many people to “opt in” as possible.

Facebook’s and Google’s extensive “research” into user behavior, in exchange for a few gift cards, is more evidence of the dire need for new carefully-tailored rules to protect user privacy, and an end to the era of companies dictating users’ legal rights.

Related Updates

The full weight of U.S. policing has descended upon protesters across the country as people take to the streets to denounce the police killings of Breonna Taylor, George Floyd, and countless others who have been subjected to police violence. Along with riot shields, tear gas, and other crowd control...

Your phone is your life. It’s where you communicate, get your news, take pictures and videos of your loved ones, relax and play games, and find a significant other. It can track your health, give you directions, remind you of events, and much more. It’s an incredibly helpful tool, but...

EFF has joined a broad coalition of civil liberties, civil rights, and labor advocates to oppose A.B. 2261, which threatens to normalize the increased use of face surveillance of Californians where they live and work. Our allies include the ACLU of California, Oakland Privacy, the California Employment Lawyers Association, Service...

In the wake of nationwide protests against the police killings of George Floyd and Breonna Taylor, we urge protestors to stay safe, both physically and digitally. Our Surveillance Self Defense (SSD) Guide on attending a protest offers practical tips on how to maintain your privacy and minimize your digital...

With states beginning to ease shelter-in-place restrictions, the conversation on COVID-19 has turned to questions of when and how we can return to work, take kids to school, or plan air travel.Several countries and U.S. states, including the UK, Italy, Chile, Germany, and California, have expressed interest in...

When it comes to surveillance of our online lives, Internet service providers (ISPs) are some of the worst offenders. Last year, the state of Maine passed a law targeted at the harms ISPs do to their customers when they use and sell their personal information. Now that law is...

COVID-19, and containment efforts that rely on personal data, are shining a spotlight on a longstanding problem: our nation’s lack of sufficient laws to protect data privacy. Two bills before Congress attempt to solve this problem as to COVID-19 data. One is a good start that needs improvements. The other...

In a landmark decision, the German Constitutional Court has ruled that mass surveillance of telecommunications outside of Germany conducted on foreign nationals is unconstitutional. Thanks to the chief legal counsel, Gesellschaft für Freiheitsrechte (GFF), this a major victory for global civil liberties, but especially those that live and...